Skip to content

fix(security): npm security fixes (2026-05-25)#1326

Open
github-actions[bot] wants to merge 1 commit into
newjitsufrom
security/fix-npm-2026-05-25
Open

fix(security): npm security fixes (2026-05-25)#1326
github-actions[bot] wants to merge 1 commit into
newjitsufrom
security/fix-npm-2026-05-25

Conversation

@github-actions

Copy link
Copy Markdown
Contributor

Summary

Batch npm security fixes for moderate+ Dependabot alerts.

Included fixes

  • CVE-2026-46625 (high): JavaScript Cookie per-instance prototype hijack enables cookie-attribute injection — js-cookie 3.0.1 -> 3.0.7
  • CVE-2026-8723 (medium): qs stringify DoS on null/undefined comma-format array entries — qs 6.15.1 -> 6.15.2
  • CVE-2026-45773 (medium): turbo login callback CSRF/session fixation — turbo 2.9.6 -> 2.9.14
  • CVE-2026-45736 (medium): ws uninitialized memory disclosure — ws 8.17.1 -> 8.21.0
  • CVE-2026-45149 (medium): brace-expansion max range DoS protection bypass — brace-expansion 5.0.5 -> 5.0.6

Risks

  • No major version bumps in this batch.
  • turbo was updated from the previously locked 2.9.6 to 2.9.14 to satisfy the security fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants